Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


July 2003

Securing SMTP Email Traffic

Transport Layer Security takes you toward 100 percent security for your email
From the July 2003 Edition
of Windows IT Pro
Paul Robichaux
Best Practices for Exchange
InstantDoc #39197
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Approving Pending Requests

Getting a Certificate
When you click Certificate on a server that doesn't have a certificate for the specified protocol, ESM launches the IIS Certificate Wizard. The wizard will look familiar if you've ever used Microsoft IIS to request an SSL certificate. To request a certificate for Exchange to use, you must have administrative privileges on the Exchange server and the account you use must have permission to request the certificate from the CA.

After clearing the welcome screen, you need to specify what you want to do. If you're requesting a certificate for a virtual server that doesn't currently have one, your choices are to attach an existing certificate to the virtual server, import a backed-up certificate, or request a new certificate. If you're modifying an existing certificate, the wizard asks you to choose between renewing the certificate, removing it from the virtual server, and requesting a new one. Let's assume that you want to request a new certificate. After you click Create a new certificate, the process works as follows:

  1. The Delayed Or Immediate Request page lets you choose to use a remote procedure call (RPC) to send the request directly to an online CA or to save the request in Public-Key Cryptography Standards (PKCS) #10 format—the standard format used to request certificates. If you're using your own internal CA and the CA is online, select Send the request immediately to an online certification authority and click Next. If you're using an external CA or if your internal CA is offline, select Prepare the request now, but send it later, then click Next to generate a PKCS #10 file that you can send to the CA later.
  2. The wizard prompts you for a name and a key length for your certificate, as Figure 1 shows. Although Windows 2000 supports 512-bit keys, they are too short to be secure; always choose a key length of at least 1024 bits. Click Next.
  3. The wizard asks you to identify your organization and organizational unit (OU). These attributes are encoded into the issued certificate, so getting them right is important—the information you enter here is permanent. You have to type the information, so be sure you spell everything correctly. When you're satisfied with your entries, click Next.
  4. The wizard next asks for your site's common name (CN). The CN should be your server's Fully Qualified Domain Name (FQDN) as it will appear on the Internet. For example, if your SMTP server is exch-smtp-sea-1.fabrikam.corp and it has the external DNS name mail1.fabrikam.com, you'd enter mail1.fabrikam.com on this wizard page. If your machine's CN changes, you'll need to get a new certificate. Be sure to enter the correct DNS name—if you get it wrong (e.g., if the actual FQDN and the one in the certificate don't match), client applications such as Microsoft Internet Explorer (IE) will complain that the certificate is bad.
  5. The Geographical Information page asks you to pick the country (or region), the state (or province), and the city that you want in the certificate attributes. These entries aren't checked for validity, so be sure that what you enter here is what you want your certificate to say.

Up to this point, the procedure is the same whether you request a certificate from an online or offline CA. After you provide your geographic information, an online request prompts you to select the CA you want to use from a list of CAs visible to the requestor. (If the CA you want to use isn't listed, you can't submit a certificate to it.) Select a CA, then click Next. You'll see a summary screen of the parameters you've requested for your certificate; clicking Next again sends the request. When the request is successful, the certificate is installed automatically and you can begin configuring TLS.

Using a Third-Party CA
If you selected Prepare the request now, but send it later to submit a certificate to a CA outside your network or to a standalone CA that isn't integrated with Active Directory (AD), your submission process will be a bit different. After you provide geographic information, the wizard lets you choose where to save the request file. The request file is a plaintext, base-64­encoded PKCS #10 request. After saving the file, you need to submit it to your CA, typically through a Web-based interface. The details of the interface depend on the CA; for example, the interfaces for Thawte, VeriSign, and Comodo's InstantSSL look and behave somewhat differently from one another. Most vendors' Web sites prominently feature a set of instructions for submitting a request.

Microsoft's CA can also accept PKCS #10 requests through its Web interface. Let's walk through the process of using this CA to request and install a certificate.

  1. On your Exchange server, open IE and navigate to http://yourCA/certsrv, where yourCA is your CA's NetBIOS or DNS name. You should see the CA Welcome page. Select Request a certificate and click Next.
  2. The Choose Request Type page, which Figure 2 shows, asks you to select a request type. Because you want a certificate for a virtual server and you already have a saved request, select Advanced request and click Next. (The User certificate request list is for those who are requesting an end-user certificate.)
  3. The Advanced Certificate Requests page gives you three choices: submit a new request by using the CA's forms interface, submit a precreated PKCS #10 request, or request a certificate for a smart-card user. Because you want to use your existing certificate request, select Submit a certificate request using a base64 encoded pkcs #10 file or a renewal request using a base64 encoded pkcs #7 file, then click Next.
  4. The Submit A Saved Request page, which Figure 3, page 83, shows, is where you submit your request for processing. Use Notepad to open the PKCS #10 file on the machine on which your browser is running. Copy the file's contents and paste them into the Saved Request text box. (If you've configured the certificate server as a trusted site, you can use the Browse link to find and upload the request file.) Click Submit, and the system sends the request to the CA for processing.
   Previous  1  [2]  3  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

New Microsoft/Yahoo! Deal? No

On Sunday, the Times of London reported that Microsoft had renewed talks with failing Internet giant Yahoo! and would manage its search engine for 10 years, while Yahoo! would retain control of its email, messaging, and content services. This report ...

How can I stop and start services from the command line?

...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events Storage Consolidation for Your Microsoft Applications: Reducing Cost and Complexity

How IE7 & The New Extended Validation SSL Certificates Impact Your Site

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing